Currently we have a system open on our CheckPoint firewall that enables all traffic from the outside (i know this is horrible, and I'm trying to have this fixed). But I saw in our logs today that it was accessed via port 139 multiple times. I know this is a NetBios port and I'm concerned. I can't think of any legitimate reason to have a machine connect to that port from the outside world.

My question is, where should I start looking to see if this machine was compromised? Are there any tools that can be run? Logs that I should look at? Any advice would be of great help.

For extra security, you should also deselect file and printer sharing on the Local area connection main page, general tab

Port 445

Port 445 can be disabled on the host by using the following instructions :

• Select Start• Select Run• Type in Regedt32• Locate the following key in the registry:

o HKLM\System\CurrentControlSet\Services\NetBT\Parameters

• Double-click on the key TransportBindName.• Delete the value (\Device\), and leave the box blank.

• Close the Registry Editor• Reboot your computer.

TCP Port 445 is now closed. This can be confirmed on the localhost by running the netstat command

Port 135 (TCP)

RPC services can't be disabled but the parameters referencing the listening interfaces can be modified to bind this port to the localhost (127.0.0.1) and thus disallow access from external connections :